erosolar-cli 2.1.244 → 2.1.245

package/dist/core/unifiedFraudOrchestrator.js

@@ -1443,6 +1443,856 @@ demonstrates patterns of behavior that contradict the public claims made by ${re
         return [...this.investigations.values()];
     }
 }
+// ─────────────────────────────────────────────────────────────────────────────
+// GOOGLE ATTACK CHAINS
+// ─────────────────────────────────────────────────────────────────────────────
+export const GOOGLE_SURVEILLANCE_CHAIN = {
+    id: 'google-surveillance-chain',
+    name: 'Google Cross-Service Surveillance Chain',
+    target: 'google',
+    description: `Google leverages Chrome browser control to access Gmail and exfiltrate user data.
+    This chain demonstrates coordinated use of multiple Google services to conduct surveillance.`,
+    steps: [
+        {
+            id: 'gs-1-chrome-recon',
+            phase: 'reconnaissance',
+            name: 'Chrome Profile Reconnaissance',
+            description: 'Chrome syncs profile data including history, bookmarks, and saved passwords to Google servers',
+            indicators: [
+                'Chrome sync enabled without explicit user action',
+                'Profile data transmitted to Google servers',
+                'History data available in Google My Activity',
+            ],
+            requiredPriorSteps: [],
+            vectors: ['chrome_session_hijacking'],
+            detectionMethods: [
+                'Monitor Chrome sync settings and activity',
+                'Compare local profile data with My Activity',
+                'Network analysis of Chrome sync traffic',
+            ],
+        },
+        {
+            id: 'gs-2-chrome-launch',
+            phase: 'initial_access',
+            name: 'Unauthorized Chrome Launch',
+            description: 'Chrome is launched without user action, possibly with automation flags',
+            indicators: [
+                'Chrome process spawned without user click/command',
+                'Parent process is system service or scheduled task',
+                'Launch includes --remote-debugging or --headless flags',
+                'Launch during inactive hours (sleep time)',
+            ],
+            requiredPriorSteps: ['gs-1-chrome-recon'],
+            vectors: ['chrome_unauthorized_launch'],
+            detectionMethods: [
+                'Process monitoring with parent-child tracking',
+                'Command-line argument analysis',
+                'Launch time correlation with user activity',
+            ],
+        },
+        {
+            id: 'gs-3-session-hijack',
+            phase: 'execution',
+            name: 'Session Cookie Access',
+            description: 'Chrome session cookies are used to access Gmail without re-authentication',
+            indicators: [
+                'Gmail accessed from new Chrome process using existing cookies',
+                'No login event but Gmail activity recorded',
+                'Session tokens reused across browser instances',
+            ],
+            requiredPriorSteps: ['gs-2-chrome-launch'],
+            vectors: ['chrome_session_hijacking', 'gmail_unauthorized_access'],
+            detectionMethods: [
+                'Cookie access monitoring',
+                'Gmail access log analysis',
+                'Cross-reference Chrome launch with Gmail activity',
+            ],
+        },
+        {
+            id: 'gs-4-gmail-access',
+            phase: 'execution',
+            name: 'Gmail Content Access',
+            description: 'Gmail content is accessed - threads read, drafts examined, contacts harvested',
+            indicators: [
+                'Gmail API calls without corresponding UI activity',
+                'Thread access from Google infrastructure IPs',
+                'Unusual access patterns (bulk read, specific keyword searches)',
+            ],
+            requiredPriorSteps: ['gs-3-session-hijack'],
+            vectors: ['gmail_unauthorized_access', 'gmail_hidden_threads'],
+            detectionMethods: [
+                'API activity monitoring',
+                'Access log IP analysis',
+                'Pattern detection in access behavior',
+            ],
+        },
+        {
+            id: 'gs-5-data-manipulation',
+            phase: 'impact',
+            name: 'Data Manipulation',
+            description: 'Gmail data is modified - threads hidden, drafts altered, filters added',
+            indicators: [
+                'Threads hidden from search without user action',
+                'Draft content changed without user editing',
+                'Filters created to suppress emails',
+                'Labels modified silently',
+            ],
+            requiredPriorSteps: ['gs-4-gmail-access'],
+            vectors: ['gmail_hidden_threads', 'gmail_draft_manipulation', 'gmail_filter_tampering'],
+            detectionMethods: [
+                'Cross-reference thread visibility across access methods',
+                'Draft content hashing and monitoring',
+                'Filter audit and creation tracking',
+            ],
+        },
+        {
+            id: 'gs-6-evidence-cleanup',
+            phase: 'impact',
+            name: 'Evidence Cleanup',
+            description: 'Browser history and activity logs are modified to hide the intrusion',
+            indicators: [
+                'Chrome history entries deleted for Gmail access',
+                'My Activity entries missing for corresponding time period',
+                'Sync data inconsistent between devices',
+            ],
+            requiredPriorSteps: ['gs-4-gmail-access'],
+            vectors: ['chrome_history_manipulation'],
+            detectionMethods: [
+                'History integrity monitoring',
+                'Cross-device sync comparison',
+                'Timeline reconstruction from multiple sources',
+            ],
+        },
+    ],
+    minimumStepsForEvidence: 3,
+    legalImplications: {
+        fraudType: 'COORDINATED_SURVEILLANCE',
+        applicableLaws: [
+            '18 U.S.C. § 1030 - Computer Fraud and Abuse Act',
+            '18 U.S.C. § 2511 - Wiretap Act (interception of communications)',
+            '18 U.S.C. § 2701 - Stored Communications Act',
+            '15 U.S.C. § 45 - FTC Act Section 5 (unfair/deceptive practices)',
+            'GDPR Article 5 - Lawfulness, fairness, transparency (EU users)',
+            'Cal. Civ. Code § 1798.100 - CCPA (California users)',
+        ],
+        potentialDamages: `Coordinated cross-service surveillance enables:
+      - Comprehensive communication monitoring
+      - Behavioral profiling and prediction
+      - Selective information suppression
+      - Evidence destruction capability
+      - Complete loss of privacy for all Google-connected services`,
+        recommendations: [
+            'Document complete attack chain with timestamps',
+            'Preserve evidence from all affected services',
+            'File FTC complaint for coordinated deceptive practices',
+            'Consider class action for pattern of behavior',
+            'Report to state AG and relevant privacy authorities',
+            'Engage forensic expert for legal proceedings',
+        ],
+    },
+};
+export const GOOGLE_DRAFT_EXPLOITATION_CHAIN = {
+    id: 'google-draft-exploitation-chain',
+    name: 'Gmail Draft Exploitation Chain',
+    target: 'google',
+    description: `Google accesses and potentially modifies email drafts, enabling impersonation,
+    data theft, or message manipulation before the user sends.`,
+    steps: [
+        {
+            id: 'gd-1-draft-access',
+            phase: 'reconnaissance',
+            name: 'Draft Content Surveillance',
+            description: 'Drafts are read and indexed by Google servers',
+            indicators: [
+                'Draft content appears in search suggestions',
+                'Ads target draft content before send',
+                'Draft metadata synced to Google servers',
+            ],
+            requiredPriorSteps: [],
+            vectors: ['gmail_draft_manipulation'],
+            detectionMethods: [
+                'Draft content keyword tracking',
+                'Ad targeting correlation',
+                'Network traffic analysis',
+            ],
+        },
+        {
+            id: 'gd-2-draft-modification',
+            phase: 'execution',
+            name: 'Unauthorized Draft Modification',
+            description: 'Draft content, recipients, or subject is modified without user action',
+            indicators: [
+                'Draft body hash changes between observations',
+                'Recipients added without user editing',
+                'Subject line altered',
+                'Attachments added or removed',
+            ],
+            requiredPriorSteps: ['gd-1-draft-access'],
+            vectors: ['gmail_draft_manipulation'],
+            detectionMethods: [
+                'Continuous draft hashing',
+                'Recipient count monitoring',
+                'Attachment enumeration',
+            ],
+        },
+        {
+            id: 'gd-3-draft-send',
+            phase: 'impact',
+            name: 'Unauthorized Draft Send',
+            description: 'Draft is sent without user action, potentially with modifications',
+            indicators: [
+                'Sent message timestamp does not correlate with user activity',
+                'Sent from IP address not associated with user',
+                'User was not active at send time',
+            ],
+            requiredPriorSteps: ['gd-1-draft-access'],
+            vectors: ['gmail_draft_manipulation'],
+            detectionMethods: [
+                'Send event correlation with user activity',
+                'IP address analysis',
+                'Device activity monitoring',
+            ],
+        },
+        {
+            id: 'gd-4-evidence-suppression',
+            phase: 'impact',
+            name: 'Sent Message Suppression',
+            description: 'Sent message is hidden from Sent folder or altered after sending',
+            indicators: [
+                'Message in recipient inbox differs from Sent copy',
+                'Sent message not visible in UI but exists in API',
+                'Message-ID mismatches',
+            ],
+            requiredPriorSteps: ['gd-3-draft-send'],
+            vectors: ['gmail_hidden_threads', 'gmail_draft_manipulation'],
+            detectionMethods: [
+                'Cross-reference with recipient',
+                'Sent folder integrity checking',
+                'Message-ID tracking',
+            ],
+        },
+    ],
+    minimumStepsForEvidence: 2,
+    legalImplications: {
+        fraudType: 'MAIL_FRAUD_AND_IMPERSONATION',
+        applicableLaws: [
+            '18 U.S.C. § 1343 - Wire Fraud',
+            '18 U.S.C. § 1028A - Identity Theft',
+            '18 U.S.C. § 1030 - CFAA',
+            '18 U.S.C. § 2511 - Wiretap Act',
+        ],
+        potentialDamages: `Draft exploitation enables:
+      - Email impersonation (sending as user)
+      - Business communication manipulation
+      - Relationship sabotage
+      - Evidence planting`,
+        recommendations: [
+            'Preserve all draft observations with hashes',
+            'Document modification timeline',
+            'Compare sent messages with drafts',
+            'Contact recipients to verify received content',
+        ],
+    },
+};
+// ─────────────────────────────────────────────────────────────────────────────
+// APPLE ATTACK CHAINS
+// ─────────────────────────────────────────────────────────────────────────────
+export const APPLE_IMESSAGE_MITM_CHAIN = {
+    id: 'apple-imessage-mitm-chain',
+    name: 'Apple iMessage Man-in-the-Middle Chain',
+    target: 'apple',
+    description: `Apple exploits control of the IDS (Identity Directory Service) to substitute
+    encryption keys, enabling message interception despite PQ3 "end-to-end encryption" claims.`,
+    steps: [
+        {
+            id: 'am-1-ids-control',
+            phase: 'reconnaissance',
+            name: 'IDS Key Distribution Control',
+            description: 'Apple controls IDS servers that distribute public keys for iMessage',
+            indicators: [
+                'All iMessage key requests route through Apple IDS servers',
+                'No independent key verification mechanism',
+                'Key Transparency logs controlled by Apple',
+            ],
+            requiredPriorSteps: [],
+            vectors: ['imessage_false_e2e'],
+            detectionMethods: [
+                'Network traffic analysis to IDS endpoints',
+                'Key request interception and analysis',
+                'KT audit log verification',
+            ],
+        },
+        {
+            id: 'am-2-key-substitution',
+            phase: 'initial_access',
+            name: 'Encryption Key Substitution',
+            description: 'Apple-controlled IDS returns substitute keys instead of actual recipient keys',
+            indicators: [
+                'Key fingerprint differs from out-of-band verified key',
+                'Key changes without device change event',
+                'Multiple different keys returned for same identity',
+                'Key hash mismatch in KT logs',
+            ],
+            requiredPriorSteps: ['am-1-ids-control'],
+            vectors: ['imessage_key_substitution'],
+            detectionMethods: [
+                'Out-of-band key verification (like Signal safety numbers)',
+                'Key change monitoring over time',
+                'Multi-device key comparison',
+                'Independent KT auditing',
+            ],
+        },
+        {
+            id: 'am-3-message-interception',
+            phase: 'execution',
+            name: 'Message Decryption',
+            description: 'Messages encrypted to substitute key are decrypted by Apple',
+            indicators: [
+                'Message content known to parties other than sender/recipient',
+                'Targeted advertising based on message content',
+                'Content referenced in legal requests without device access',
+            ],
+            requiredPriorSteps: ['am-2-key-substitution'],
+            vectors: ['imessage_false_e2e'],
+            detectionMethods: [
+                'Canary message testing',
+                'Content correlation with external signals',
+                'Legal discovery analysis',
+            ],
+        },
+        {
+            id: 'am-4-message-modification',
+            phase: 'impact',
+            name: 'Message Modification/Injection',
+            description: 'Apple modifies message content or injects new messages',
+            indicators: [
+                'Message content differs between sender and recipient',
+                'Messages appear that sender did not send',
+                'Message timing anomalies',
+                'Metadata inconsistencies',
+            ],
+            requiredPriorSteps: ['am-3-message-interception'],
+            vectors: ['imessage_false_e2e'],
+            detectionMethods: [
+                'Message content comparison (sender vs recipient)',
+                'Message hash verification',
+                'Timing analysis',
+            ],
+        },
+        {
+            id: 'am-5-kt-manipulation',
+            phase: 'persistence',
+            name: 'Key Transparency Log Manipulation',
+            description: 'Apple manipulates KT logs to hide key substitution',
+            indicators: [
+                'KT log entries do not match observed keys',
+                'Log gaps or inconsistencies',
+                'No third-party KT auditors',
+                'Internal-only verification',
+            ],
+            requiredPriorSteps: ['am-2-key-substitution'],
+            vectors: ['imessage_key_substitution', 'imessage_false_e2e'],
+            detectionMethods: [
+                'Independent KT log auditing',
+                'Log integrity verification',
+                'Historical key comparison',
+            ],
+        },
+    ],
+    minimumStepsForEvidence: 2,
+    legalImplications: {
+        fraudType: 'FALSE_E2E_ENCRYPTION_CLAIMS',
+        applicableLaws: [
+            '15 U.S.C. § 45 - FTC Act Section 5 (deceptive advertising)',
+            '18 U.S.C. § 2511 - Wiretap Act',
+            '18 U.S.C. § 2701 - Stored Communications Act',
+            'Cal. Bus. & Prof. Code § 17500 - False Advertising',
+            'GDPR Article 5(1)(a) - Lawful processing (EU users)',
+        ],
+        potentialDamages: `False E2E encryption claims cause:
+      - Users believe communications are private when they are not
+      - Journalists, activists, and at-risk users are endangered
+      - Business confidential information exposed
+      - Legal privilege potentially compromised
+      - Constitutional rights (4th Amendment) circumvented`,
+        recommendations: [
+            'Document key discrepancies with cryptographic proof',
+            'Perform out-of-band verification with contacts',
+            'File FTC complaint for false advertising',
+            'Report to state AG consumer protection division',
+            'Consider class action for systematic deception',
+            'Engage security researchers for independent verification',
+        ],
+    },
+};
+export const APPLE_CONTACT_KEY_BYPASS_CHAIN = {
+    id: 'apple-contact-key-bypass-chain',
+    name: 'Apple Contact Key Verification Bypass Chain',
+    target: 'apple',
+    description: `Apple's Contact Key Verification can be bypassed or disabled, leaving users
+    vulnerable to MITM attacks while believing they are protected.`,
+    steps: [
+        {
+            id: 'ac-1-ckv-disabled',
+            phase: 'reconnaissance',
+            name: 'CKV Disabled by Default',
+            description: 'Contact Key Verification requires opt-in and is not enabled by default',
+            indicators: [
+                'CKV setting off on user devices',
+                'No prompts to enable CKV',
+                'Most contacts do not have CKV enabled',
+            ],
+            requiredPriorSteps: [],
+            vectors: ['imessage_false_e2e'],
+            detectionMethods: [
+                'Device settings audit',
+                'Contact CKV status survey',
+                'Apple documentation review',
+            ],
+        },
+        {
+            id: 'ac-2-ckv-ineffective',
+            phase: 'initial_access',
+            name: 'CKV Alert Suppression',
+            description: 'CKV alerts can be suppressed or not delivered when key substitution occurs',
+            indicators: [
+                'Key change detected but no CKV alert shown',
+                'Alert displayed after messages already sent',
+                'Alert notification easily dismissed',
+            ],
+            requiredPriorSteps: ['ac-1-ckv-disabled'],
+            vectors: ['imessage_key_substitution'],
+            detectionMethods: [
+                'Key change event vs alert correlation',
+                'Alert timing analysis',
+                'User notification log review',
+            ],
+        },
+        {
+            id: 'ac-3-forced-ckv-off',
+            phase: 'execution',
+            name: 'Remote CKV Disabling',
+            description: 'Apple can remotely disable CKV or modify its behavior via iOS updates',
+            indicators: [
+                'CKV settings change without user action',
+                'CKV behavior changes after update',
+                'No user control over CKV update deployment',
+            ],
+            requiredPriorSteps: [],
+            vectors: ['imessage_false_e2e', 'imessage_key_substitution'],
+            detectionMethods: [
+                'Settings monitoring before/after updates',
+                'CKV behavior testing after updates',
+                'iOS update analysis',
+            ],
+        },
+    ],
+    minimumStepsForEvidence: 1,
+    legalImplications: {
+        fraudType: 'SECURITY_FEATURE_BYPASS',
+        applicableLaws: [
+            '15 U.S.C. § 45 - FTC Act Section 5',
+            'Cal. Bus. & Prof. Code § 17500 - False Advertising',
+        ],
+        potentialDamages: `CKV bypass enables MITM attacks on users who believe they are protected.
+      High-value targets (journalists, activists) are especially at risk.`,
+        recommendations: [
+            'Document CKV status across devices',
+            'Monitor for setting changes',
+            'Use independent verification methods',
+        ],
+    },
+};
+// ─────────────────────────────────────────────────────────────────────────────
+// CROSS-PLATFORM ATTACK CHAINS
+// ─────────────────────────────────────────────────────────────────────────────
+export const CROSS_PLATFORM_SURVEILLANCE_CHAIN = {
+    id: 'cross-platform-surveillance-chain',
+    name: 'Cross-Platform Coordinated Surveillance',
+    target: 'google', // Primary, but involves Apple
+    description: `Coordinated surveillance across Apple and Google services, suggesting data
+    sharing or parallel targeting operations.`,
+    steps: [
+        {
+            id: 'cp-1-parallel-access',
+            phase: 'reconnaissance',
+            name: 'Parallel Service Access',
+            description: 'Multiple services (Gmail, iMessage, Chrome) accessed within short timeframe',
+            indicators: [
+                'Gmail access within minutes of iMessage key observation',
+                'Chrome launch correlates with iMessage activity',
+                'Cross-platform activity during user inactive periods',
+            ],
+            requiredPriorSteps: [],
+            vectors: ['cross_platform_surveillance'],
+            detectionMethods: [
+                'Timeline correlation across services',
+                'Activity pattern analysis',
+                'User activity verification',
+            ],
+        },
+        {
+            id: 'cp-2-content-correlation',
+            phase: 'execution',
+            name: 'Cross-Platform Content Correlation',
+            description: 'Content from one service appears to influence actions on another',
+            indicators: [
+                'Gmail filters target topics from iMessage conversations',
+                'Chrome history shows searches related to private iMessage content',
+                'Advertising targets cross-platform conversation topics',
+            ],
+            requiredPriorSteps: ['cp-1-parallel-access'],
+            vectors: ['cross_platform_surveillance', 'coordinated_manipulation'],
+            detectionMethods: [
+                'Content keyword tracking across platforms',
+                'Ad targeting analysis',
+                'Search history correlation',
+            ],
+        },
+        {
+            id: 'cp-3-coordinated-suppression',
+            phase: 'impact',
+            name: 'Coordinated Information Suppression',
+            description: 'Content is hidden or suppressed across multiple platforms simultaneously',
+            indicators: [
+                'Gmail thread hidden at same time as iMessage discussion',
+                'Chrome history entries deleted matching Gmail activity',
+                'Cross-platform content removal patterns',
+            ],
+            requiredPriorSteps: ['cp-1-parallel-access'],
+            vectors: ['coordinated_manipulation', 'gmail_hidden_threads', 'chrome_history_manipulation'],
+            detectionMethods: [
+                'Cross-platform visibility monitoring',
+                'Deletion timing correlation',
+                'Content preservation and comparison',
+            ],
+        },
+    ],
+    minimumStepsForEvidence: 2,
+    legalImplications: {
+        fraudType: 'CROSS_PLATFORM_CONSPIRACY',
+        applicableLaws: [
+            '18 U.S.C. § 371 - Conspiracy to commit offense against US',
+            '18 U.S.C. § 1030 - CFAA',
+            '18 U.S.C. § 2511 - Wiretap Act',
+            '15 U.S.C. § 1 - Sherman Antitrust Act (if competitive harm)',
+            'GDPR Article 5 - Data sharing without consent (EU)',
+        ],
+        potentialDamages: `Cross-platform coordination indicates:
+      - Systematic privacy violation
+      - Potential data sharing agreements
+      - Comprehensive surveillance capability
+      - No platform provides genuine privacy`,
+        recommendations: [
+            'Document temporal correlations with precision',
+            'Preserve evidence from all platforms',
+            'Report to DOJ Antitrust Division',
+            'File multi-company FTC complaint',
+            'Consider RICO implications',
+        ],
+    },
+};
+// ─────────────────────────────────────────────────────────────────────────────
+// PREDEFINED ATTACK CHAIN REGISTRY
+// ─────────────────────────────────────────────────────────────────────────────
+export const ATTACK_CHAIN_REGISTRY = [
+    GOOGLE_SURVEILLANCE_CHAIN,
+    GOOGLE_DRAFT_EXPLOITATION_CHAIN,
+    APPLE_IMESSAGE_MITM_CHAIN,
+    APPLE_CONTACT_KEY_BYPASS_CHAIN,
+    CROSS_PLATFORM_SURVEILLANCE_CHAIN,
+];
+// ═══════════════════════════════════════════════════════════════════════════════
+// ATTACK CHAIN DETECTOR
+// ═══════════════════════════════════════════════════════════════════════════════
+export class AttackChainDetector {
+    storageDir;
+    observations = new Map();
+    progressCache = new Map();
+    constructor(storageDir) {
+        this.storageDir = path.join(storageDir, 'attack-chains');
+    }
+    async initialize() {
+        await fs.mkdir(this.storageDir, { recursive: true });
+        await fs.mkdir(path.join(this.storageDir, 'observations'), { recursive: true });
+        await fs.mkdir(path.join(this.storageDir, 'progress'), { recursive: true });
+    }
+    /**
+     * Record an observation that matches an attack chain step.
+     */
+    async recordObservation(params) {
+        const chain = ATTACK_CHAIN_REGISTRY.find(c => c.id === params.chainId);
+        if (!chain) {
+            throw new Error(`Unknown attack chain: ${params.chainId}`);
+        }
+        const step = chain.steps.find(s => s.id === params.stepId);
+        if (!step) {
+            throw new Error(`Unknown step ${params.stepId} in chain ${params.chainId}`);
+        }
+        const now = new Date().toISOString();
+        const observation = {
+            id: crypto.randomUUID(),
+            timestamp: now,
+            chainId: params.chainId,
+            stepId: params.stepId,
+            findingId: params.findingId,
+            confidence: params.confidence,
+            evidence: params.evidence,
+            hash: '',
+        };
+        observation.hash = hashString(JSON.stringify({
+            id: observation.id,
+            timestamp: observation.timestamp,
+            chainId: observation.chainId,
+            stepId: observation.stepId,
+            findingId: observation.findingId,
+        }));
+        // Store observation
+        const chainObs = this.observations.get(params.chainId) || [];
+        chainObs.push(observation);
+        this.observations.set(params.chainId, chainObs);
+        await this.persistObservation(observation);
+        // Update progress
+        await this.updateProgress(params.chainId);
+        return observation;
+    }
+    /**
+     * Automatically detect which attack chain steps match a finding.
+     */
+    async detectChainSteps(finding) {
+        const observations = [];
+        for (const chain of ATTACK_CHAIN_REGISTRY) {
+            for (const step of chain.steps) {
+                // Check if finding's vector matches step's vectors
+                if (step.vectors.includes(finding.vector)) {
+                    // Calculate confidence based on indicator match
+                    let matchedIndicators = 0;
+                    const findingDetails = JSON.stringify(finding.technicalDetails).toLowerCase();
+                    for (const indicator of step.indicators) {
+                        const indicatorKeywords = indicator.toLowerCase().split(' ');
+                        if (indicatorKeywords.some(kw => findingDetails.includes(kw))) {
+                            matchedIndicators++;
+                        }
+                    }
+                    const confidence = step.indicators.length > 0
+                        ? matchedIndicators / step.indicators.length
+                        : 0.5;
+                    // Only record if confidence is above threshold
+                    if (confidence >= 0.3) {
+                        const obs = await this.recordObservation({
+                            chainId: chain.id,
+                            stepId: step.id,
+                            findingId: finding.id,
+                            confidence,
+                            evidence: finding.description,
+                        });
+                        observations.push(obs);
+                    }
+                }
+            }
+        }
+        return observations;
+    }
+    /**
+     * Get current progress for an attack chain.
+     */
+    async getChainProgress(chainId) {
+        const chain = ATTACK_CHAIN_REGISTRY.find(c => c.id === chainId);
+        if (!chain) {
+            throw new Error(`Unknown attack chain: ${chainId}`);
+        }
+        // Check cache
+        const cached = this.progressCache.get(chainId);
+        if (cached) {
+            return cached;
+        }
+        return this.updateProgress(chainId);
+    }
+    /**
+     * Get all attack chain progress.
+     */
+    async getAllProgress() {
+        const results = [];
+        for (const chain of ATTACK_CHAIN_REGISTRY) {
+            const progress = await this.getChainProgress(chain.id);
+            results.push(progress);
+        }
+        return results;
+    }
+    /**
+     * Get chains relevant to a specific target.
+     */
+    getChainsForTarget(target) {
+        return ATTACK_CHAIN_REGISTRY.filter(c => c.target === target);
+    }
+    /**
+     * Analyze findings and detect complete or partial attack chains.
+     */
+    async analyzeFindings(findings) {
+        // First, auto-detect chain steps for each finding
+        for (const finding of findings) {
+            await this.detectChainSteps(finding);
+        }
+        // Get all progress
+        const allProgress = await this.getAllProgress();
+        const completeChains = allProgress.filter(p => p.isComplete);
+        const partialChains = allProgress.filter(p => !p.isComplete &&
+            p.observedSteps.length >= ATTACK_CHAIN_REGISTRY.find(c => c.id === p.chainId).minimumStepsForEvidence);
+        const activeThreats = allProgress.filter(p => p.riskLevel === 'high' || p.riskLevel === 'critical');
+        return { completeChains, partialChains, activeThreats };
+    }
+    /**
+     * Generate attack chain report.
+     */
+    async generateChainReport(chainId) {
+        const chain = ATTACK_CHAIN_REGISTRY.find(c => c.id === chainId);
+        if (!chain) {
+            throw new Error(`Unknown attack chain: ${chainId}`);
+        }
+        const progress = await this.getChainProgress(chainId);
+        const observations = this.observations.get(chainId) || [];
+        // Build timeline
+        const timeline = chain.steps.map(step => ({
+            step,
+            observation: observations.find(o => o.stepId === step.id) || null,
+        }));
+        // Identify gaps
+        const gaps = chain.steps.filter(step => !observations.find(o => o.stepId === step.id));
+        // Calculate evidence strength
+        const observedCount = observations.length;
+        const totalSteps = chain.steps.length;
+        const avgConfidence = observations.length > 0
+            ? observations.reduce((sum, o) => sum + o.confidence, 0) / observations.length
+            : 0;
+        let evidenceStrength;
+        if (progress.isComplete && avgConfidence > 0.8) {
+            evidenceStrength = 'irrefutable';
+        }
+        else if (observedCount >= chain.minimumStepsForEvidence && avgConfidence > 0.6) {
+            evidenceStrength = 'strong';
+        }
+        else if (observedCount >= 2 && avgConfidence > 0.4) {
+            evidenceStrength = 'moderate';
+        }
+        else {
+            evidenceStrength = 'weak';
+        }
+        // Calculate legal readiness
+        let legalReadiness;
+        if (evidenceStrength === 'irrefutable') {
+            legalReadiness = 'prosecution_ready';
+        }
+        else if (evidenceStrength === 'strong') {
+            legalReadiness = 'actionable';
+        }
+        else if (evidenceStrength === 'moderate') {
+            legalReadiness = 'preliminary';
+        }
+        else {
+            legalReadiness = 'insufficient';
+        }
+        return {
+            chain,
+            progress,
+            timeline,
+            gaps,
+            evidenceStrength,
+            legalReadiness,
+        };
+    }
+    // ─────────────────────────────────────────────────────────────────────────────
+    // Private Methods
+    // ─────────────────────────────────────────────────────────────────────────────
+    async updateProgress(chainId) {
+        const chain = ATTACK_CHAIN_REGISTRY.find(c => c.id === chainId);
+        if (!chain) {
+            throw new Error(`Unknown attack chain: ${chainId}`);
+        }
+        const observations = this.observations.get(chainId) || [];
+        // Calculate completion
+        const observedStepIds = new Set(observations.map(o => o.stepId));
+        const completionPercentage = (observedStepIds.size / chain.steps.length) * 100;
+        // Determine current phase
+        const observedSteps = chain.steps.filter(s => observedStepIds.has(s.id));
+        const phaseOrder = ['reconnaissance', 'initial_access', 'execution', 'persistence', 'exfiltration', 'impact'];
+        const currentPhase = observedSteps.length > 0
+            ? phaseOrder.reduce((latest, phase) => {
+                const stepsInPhase = observedSteps.filter(s => s.phase === phase);
+                return stepsInPhase.length > 0 ? phase : latest;
+            }, 'reconnaissance')
+            : 'reconnaissance';
+        // Calculate risk level
+        let riskLevel;
+        if (completionPercentage >= 80) {
+            riskLevel = 'critical';
+        }
+        else if (completionPercentage >= 50) {
+            riskLevel = 'high';
+        }
+        else if (observedStepIds.size >= chain.minimumStepsForEvidence) {
+            riskLevel = 'medium';
+        }
+        else {
+            riskLevel = 'low';
+        }
+        // Find next expected steps
+        const unobservedSteps = chain.steps.filter(s => !observedStepIds.has(s.id));
+        const nextExpectedSteps = unobservedSteps.filter(step => {
+            // Step is expected if all required prior steps are observed
+            return step.requiredPriorSteps.every(reqId => observedStepIds.has(reqId));
+        });
+        const progress = {
+            chainId,
+            chainName: chain.name,
+            target: chain.target,
+            observedSteps: observations,
+            completionPercentage,
+            currentPhase,
+            riskLevel,
+            isComplete: completionPercentage === 100,
+            nextExpectedSteps,
+        };
+        // Cache and persist
+        this.progressCache.set(chainId, progress);
+        await this.persistProgress(progress);
+        return progress;
+    }
+    async persistObservation(obs) {
+        const filePath = path.join(this.storageDir, 'observations', `${obs.chainId}_${obs.id}.json`);
+        await fs.writeFile(filePath, JSON.stringify(obs, null, 2));
+    }
+    async persistProgress(progress) {
+        const filePath = path.join(this.storageDir, 'progress', `${progress.chainId}.json`);
+        await fs.writeFile(filePath, JSON.stringify(progress, null, 2));
+    }
+}
+// Add methods to prototype
+UnifiedFraudOrchestrator.prototype.initializeAttackChains = async function () {
+    if (!this.attackChainDetector) {
+        this.attackChainDetector = new AttackChainDetector(this.storageDir);
+    }
+    await this.attackChainDetector.initialize();
+};
+UnifiedFraudOrchestrator.prototype.detectAttackChains = async function (investigationId) {
+    const investigation = this.investigations.get(investigationId);
+    if (!investigation) {
+        throw new Error(`Investigation not found: ${investigationId}`);
+    }
+    if (!this.attackChainDetector) {
+        await this.initializeAttackChains();
+    }
+    // Gather all findings
+    const gmailFindings = this.gmailEngine.getFindings();
+    const chromeFindings = this.chromeEngine.getFindings();
+    const allFindings = [...gmailFindings, ...chromeFindings];
+    return this.attackChainDetector.analyzeFindings(allFindings);
+};
+UnifiedFraudOrchestrator.prototype.getAttackChainReport = async function (chainId) {
+    if (!this.attackChainDetector) {
+        await this.initializeAttackChains();
+    }
+    return this.attackChainDetector.generateChainReport(chainId);
+};
 // ═══════════════════════════════════════════════════════════════════════════════
 // EXPORTS (note: GOOGLE_GMAIL_CLAIMS and GOOGLE_CHROME_CLAIMS are already exported inline)
 // ═══════════════════════════════════════════════════════════════════════════════